PDF malware analysis — malicious · d07c20928711631a

MALICIOUS

PDF

81.2 KB Created: 2020-08-22 07:16:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 64e29fd77e313f2b742d4bcccb5840bb SHA-1: f424a0b9bea30ef49039a559b9ccd361a014aac6 SHA-256: d07c20928711631ad14bcac2e86196a5cf0a21bef0ebeadd4fefde1df439feb9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, many pointing to Shopify domains hosting other PDFs, but one critical link directs to a known malicious redirector. This suggests a link farm or SEO poisoning tactic to distribute malicious content. The primary malicious URL is https://ttraff.com/pify?keyword=surah+ar+rahman+arabic+bangla+pdf, which likely serves as a gateway to further malicious payloads. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=surah+ar+rahman+arabic+bangla+pdf
- http://bikurur.gratefulglass.net/uploads/1/3/1/3/131378942/5266689.pdf
- http://vepivel.priscillecanivet.com/uploads/1/3/1/8/131857054/ed5e15.pdf
- https://cdn.shopify.com/s/files/1/0430/3316/5986/files/kisatajoka.pdf
- https://cdn.shopify.com/s/files/1/0438/5511/8501/files/vovojagepirinaw.pdf
- https://cdn.shopify.com/s/files/1/0452/4287/6061/files/62108345948.pdf
- https://cdn.shopify.com/s/files/1/0430/8716/7645/files/zofomekiguvuwusi.pdf
- https://cdn.shopify.com/s/files/1/0440/5523/2677/files/64276038740.pdf
- https://cdn.shopify.com/s/files/1/0428/3655/7987/files/tuxojoxasowepuviduzefaw.pdf
- https://cdn.shopify.com/s/files/1/0438/9853/6091/files/oxford_beginner_s_chinese_dictionary.pdf
- https://cdn.shopify.com/s/files/1/0431/7092/2652/files/distributor_agreement_template_singapore.pdf
- https://cdn.shopify.com/s/files/1/0430/2356/4957/files/26715703784.pdf
- https://cdn.shopify.com/s/files/1/0450/5973/5704/files/renaissance_architecture_in_france.pdf
- https://cdn.shopify.com/s/files/1/0440/4455/0294/files/role_of_bibliography_in_conducting_a_research.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0000ff1a.bin` `84c2b002c5bd39f265ca5985ef75c336311a15a2c17a65cd5fb501a5ca231239`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xFF1A	31720 bytes
`font_00_sfnt_off0000a2ec.bin` `350a1d5cbf4033705a7bf28c049630cce644579b2cd119b941b4dea408b48b53`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA2EC	5632 bytes
`font_01_sfnt_off0000b5dd.bin` `df7b8cb33ae0bfe5ecb36a6b2b3bc91aa05390021aec478d686f572ce91534d2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xB5DD	8316 bytes
`font_02_sfnt_off0000d0e4.bin` `7e0d67b2e49c14cbe438ad9f5a4542e0099dc2359d899778a8171ebe7c1cc0fb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xD0E4	14940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.